Bugfix: Catch the fatal error if wp_generate_password is not available — the function may not be loaded early enough in WordPress.
2.0.0
New name: Plugin renamed from Auto Refresh API AJAX to Live Data Display. The plugin slug (auto-refresh-api-ajax) and all existing settings are unchanged.
Multiple slots: The plugin now supports any number of independent data slots, each with its own URL, refresh interval, JSON path, selector, prefix, suffix, error text, and active flag.
Shortcode: New [araa slot=”slot_1″] shortcode renders a self-contained element with the correct ID and class. Accepts optional tag and class attributes.
Gutenberg block: Native block with live editor preview via a REST endpoint (/wp-json/araa/v1/preview).
Server-side initial value: Slots with refresh interval ≥ 10 s pre-render their value on the server (two-level cache: per-request static + WP transient). Visitors see data immediately without waiting for the first Ajax cycle.
Security — CSRF/abuse protection: All admin-ajax proxy requests are now verified with a WordPress nonce (araa_ajax_nonce).
Security — SSRF mitigation: The admin-ajax proxy validates the target URL with wp_http_validate_url() before fetching.
Security — XSS fix: API values injected into the page via the output buffer are now HTML-escaped with esc_html().
Security — output-buffer fix: Replaced nested ob_start() calls (one per slot) with a single buffer that applies all placeholder replacements at once.
Prefix / suffix / error text fields added to every slot.
Active / inactive toggle per slot.
Page-visibility API: Frontend pauses polling while the tab is hidden.
Built-in demo APIs: Three public REST API endpoints under /wp-json/araa/v1/api/ provide ready-to-use live data (time, countdown, random number). Each endpoint is opt-in and must be activated individually under Settings → Live Data Display → API.
Settings migration: Automatically migrates settings from v1.2.10 (flat option) and v1.2.11 (single-slot JSON) to the new multi-slot format.
Tested up to WordPress 6.9.
1.2.10
Plugin is ok with WP 6.5.4.
Compatible with Plugin Check Plugin 1.0.1 (one expected warning regarding nonce-less GET parameter handling — see FAQ).
wp_remote_get replaces file_get_contents.
Added wp_json_encode before using received JSON.
Improved output-escaping and nonce-checking.
1.2.9
Plugin is ok with WP 6.4.3 and PHP 8.
Improved backend design.
Fix: $_SERVER[‘SERVER_NAME’] may be unset when running under WP-CLI.
1.2.8
Security fix: Cross-Site Scripting (XSS) vulnerability in the admin area reported by Rio D. — thank you!
1.2.7
Plugin is ok with WP 6.1.1.
Fixes for PHP 8.1 compatibility.
1.2.6
Pass GET parameters from the current page to the remote JSON API using #GET_key# placeholders in the API URL.
1.2.5
Plugin is ok with WP 5.8.2.
Bugfix: sorting out local vs. external JSON URLs.
1.2.4
Plugin is ok with WP 5.8.1.
Bugfix: local server JSON URLs now handled correctly.
1.2.3
Plugin is ok with WP 5.5.1.
Bugfix: passing parameters from PHP to JS; added validation on the settings page.
1.2.2
Plugin is ok with WP 5.4 and PHP 7.4.
1.2.1
Minor bugfix: missing function added.
1.2.0
Added server-side initial value loading and initial-hide selector.
1.1.0
Added second proxy method for cross-origin Ajax calls.
